Security Concerns and the Connected Car

October is National Cyber Security Awareness month. Connected cars are an amazing idea, yet a relatively new technology. Read on to learn about possible security concerns and how to stay safe. This is part 11 in a series of blog posts we will be publishing on various topics aimed at educating you on how to stay protected on today’s Internet landscape.

As newer cars are becoming more computerized, this updated technology allows access to more than just entertainment systems and hands free calling. Most modern cars come with, at the very least, Bluetooth connections that allow you to connect your phone for basic usage, but a lot of automakers and developers are starting to partner up in order achieve a more, all-inclusive computerized interface that runs directly in the car.

Currently, services and applications are delivered to a car in two ways. Smartphones and tablets that connect to the car via wireless connections, and autonomous computer systems built into vehicles that have their own independent Wi-Fi, Bluetooth and 4G LTE connections.

Smartphone integration with vehicles has made driving much simpler in recent years, and it’s hard to find a driver today who does not use GPS, streaming audio and other smartphone features in their car. But what are the downsides to being constantly connected when driving? While you’re getting vital information to help you reach your destination and other “infotainment” features, what vital information of yours is flowing the other way? In addition to keeping your personal information safeguarded, what are the security concerns of having a vehicle that is computerized, from air conditioning control to zero emissions systems?

How Does A Connected Car Work?

There are hundreds of computer systems in a connected vehicle that do a variety of things, from monitoring your tire pressure to providing voice-controlled navigation. As technology progresses and we become more connected to things in our lives, such as our homes, it only seems logical that the natural progression of this type of integration migrates to our cars as well.

These integrations are essentially split into two types of services: infotainment and engine management systems. These systems are independent of each other, so should hackers gain access to the infotainment portion of the system, it will not affect the car’s mechanical system.

Infotainment systems provide features that are usually connected to your smartphone. You can incorporate your music library into your sound system, or stream audio via popular streaming service apps. The system can help you navigate your way from A to B by providing navigation services, such as directions and real time traffic alerts. These systems even grant access to many communication platforms by safely using voice integration to allow voice activated SMS and voice calls. Newer vehicles that have their own 4G connections can even create an in-vehicle “hot spot” for other devices to connect to.

Some major automakers are creating applications for your smartphone that allow you to monitor and access the vehicle’s mechanical system and diagnostic services. The apps can alert you to basic maintenance issues, such as when you need an oil change, if your tire pressure is low, if there is a part that needs replacing, or if general maintenance is required. In addition to these alerts, you can also analyze your car’s performance as a whole, such as general engine performance, gas mileage, and battery charge. There are also security features built into some of these apps that allow remote start via your smartphone, the ability to arm the alarm, and lock and unlock the doors.

Security Concerns for the Connected Car

There are two concerns when it comes to this technology: access to the vehicle’s computer systems and the data that it collects and stores.

Your privacy is something you can take control of right now, and the best place to start is with the smartphone in your pocket. Since many of these apps exchange data with your car, and connected cars themselves are extremely difficult to hack, it is most likely that the smartphone will be the more attractive target. When using car-connected apps, there are a few things you should be aware of when installing and using these applications. When you download and install a new app, it will request access to various features of your phone. Rather than simply tapping “accept” and forgetting about it, take the time to read app permissions and the privacy policy of the app. Once fully informed about what the app intends to do, what data it requests to access and what it plans to do with that data, then consider whether the app needs access to the parts it’s requesting, or is worth installing at all. Of course a navigation app needs to use your phone’s GPS to function properly, but does it really need access to your full Facebook profile, or your contacts list? If in doubt, you can always look for a less intrusive alternative.

Keep in mind; there are other ways that your data can be leaked besides through your smartphone. Some cars send your GPS tracking out in order to report traffic jams; some newer concepts will even send your location when you exit a parking spot, so that other cars know that there is a free spot. With all of this GPS data flying around to various “helpful” databases, as well as to the car companies themselves (it is uncertain what these companies do with personal data collected by a connected vehicle), it is important to do your research on the particular car that you are interested in purchasing, and finding out what the privacy policy is in regards to your data.

Security breaches via the car’s computer systems can happen in two ways- via the car’s built in wireless interfaces or physical access to the vehicle itself.

A study published by the University of California, San Diego has tested physical breaches, which are when a person, such as a mechanic or valet, has access to the car itself, uploads malware through a port. Sometimes, people will upgrade to a new stereo, or add a new alarm system, and if you’re not careful, these aftermarket parts can come pre-infected with malware that will allow a hacker access to the car’s computer system. Malware can even be encoded in MP3 music files and introduced through CDs or USB sticks.

Wireless interface breaches can occur through the features of the car itself- the built in cell network, GPS, short range wi-fi and Bluetooth.

What can these attacks do?

The study by the University of California, San Diego mentioned above, tested out just how hackable a connected vehicle really is. The researchers were able to disable the engine, reroute GPS directions, insert malware, remotely disable the brakes, alter the speedometer readings, and more. However, in order to perform these hacks, the hackers had to be within close proximity of the vehicle, driving alongside it as the hacks were performed. At this point with this newer technology, vital system hacks have been proven difficult to execute.

How to stay safe:

Luckily, this is still a relatively new technology, and although there have been studies done on how to access these systems, there have been very few actual cases of connected car hacking. Here’s what you can do to make sure you keep your data safe into the future, while you enjoy your fancier, connected ride:

• Secure your smartphone, as this is an easier target for hackers.
• Within any app, via the vehicle itself or the app on your phone, be sure to change the default admin username and password.
• Update software as soon as it is available. This patches vulnerable security holes.
• Don’t reuse the same passwords across apps.
• Only visit certified repair centers. Dishonest shops can steal data, inject malware and trigger false repair alerts.
• If you want to install after market parts, check with your car dealer first to make sure they are safe.
• Turn off your phone’s GPS when not using GPS services. This makes it harder to constantly track your location (this is a great battery life saver too!).  
• Be aware of Social media. If you must allow apps access to your Facebook profile or Twitter account, try to be a bit more aware of what you upload to them. Is there really any need to include your most personal information about your car and where you are on social networking sites?

New technology is always an exciting thing. It enriches our lives in new ways that we never thought possible. With new advances in technology come new risks with our personal information. It’s okay to jump on the new tech bandwagon as long as you are aware of the risks involved and educated on how to keep your information secure.

This is part 11 of a series of blogs for National Cyber Security Awareness Month.

For more information on various topics, check out:
Week 1
5 Ways You Didn't Know You Could Get a Virus, Malware, or Your Social Account Hacked
How To Choose a Secure Password
How To Avoid Identity Theft Online
How To Protect Yourself From Phishing Scams
How To Protect Yourself From Cyberstalkers

Week 2
Mobile Scams: How-to Identify Them and Protect Yourself
Exactly How Free Is That Free App?
BYOD And Protecting Your Mobile Workforce
Cyber Security Concerns and Smartphones

Week 3
Keeping Your Mobile Fitness Data Secure
The Connected Home- Just How Safe Is Convenience?

Week 4
Securing Employee Technology, Step by Step
Are Your Vendors Putting Your Company’s Data at Risk?
Four Mobile Threats that May Surprise You
Theft-Proof Your Mobile Data
Traveling? Don’t Let Your Mobile Data Stray

Week 5
How Do Cybercriminals Get Caught?